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(/3 Abstract 

O 

' ' Event clock automata (ECA) are a model for timed languages that has been 

introduced by Alur, Fix and Henzinger as an alternative to timed automata, with 
Cn better theoretical properties (for instance, ECA are determinizable while timed au- 

tomata are not). In this paper, we revisit and extend the theory of ECA. We first 
prove that no finite time abstract language equivalence exists for ECA, thereby 
disproving a claim in the original work on ECA. This means in particular that re- 
_^ gions do not form a time abstract bisimulation. Nevertheless, we show that regions 

• can still be used to build a finite automaton recognizing the untimed language of 

r^ an ECA. Then, we extend the classical notions of zones and DBMs to let them 

^-^ handle event clocks instead of plain clocks (as in timed automata) by introducing 

, event zones and Event DBMs (EDBMs). We discuss algorithms to handle event 

. . zones represented as EDBMs, as well as (semi-) algorithms based on EDBMs to 

^ decide language emptiness of ECA. 



1 Introduction 

Timed automata have been introduced by Alur and Dill in the early nineties ||2l and 
are a successful and popular model to reason about timed behaviors of computer sys- 
tems. Where finite automata represent behaviors by finite sequences of actions, timed 
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automata define sets of timed words (called timed languages) that are finite sequences 
of actions, each paired with a real time stamp. To this end, timed automata extend finite 
automata with a finite set of real valued clocks, that can be tested and reset with each 
action of the system. The theory of timed automata is now well developed |1 1. The 
algorithms to analyse timed automata have been implemented in several tools such as 
Kronos [7] or UppAal (which is increasingly applied in industrial case studies) |4|. 

Timed automata, however, suffer from certain weaknesses, at least from the theo- 
retical point of view. As a matter of fact, timed automata are not determinizable and 
cannot be complemented in general IJ). Intuitively, this stems from the fact that the 
reset of the clocks cannot be made deterministic wrt the word being read. Indeed, from 
a given location, there can be two transitions, labeled by the same action a but different 
reset sets. 

This observation has prompted Alur, Fix and Henzinger to introduce the class of 
event clock automata (ECA for short) |3 1, as an alternative model for timed languages. 
Unlike timed automata, ECA force the clock resets to be strongly linked to the occur- 
rences of actions. More precisely, for each action a of the system, there are two clocks 
Xa and Xa in an ECA: Xa is the history clock of a and always records the time elapsed 
since the last occurrence of a. Symmetrically, Xa is the prophecy clock for a, and 
always predicts the time distance up to the next occurrence of a. As a consequence, 
while history clocks see their values increase with time elapsing (like clocks in timed 
automata do), the values of prophecy clocks decrease over time. However, this scheme 
ensures that the value of any clock is uniquely determined at any point in the timed 
word being read, no matter what path is being followed in the ECA. A nice conse- 
quence of this definition is that ECA are determinizable O. While the theory of ECA 
has witnessed some developments ||T3] [TTl [TSl l9l [T2JI since the seminal paper, no tool 
is available that exploits the full power of event clocks (the only tool we are aware of 
is Tempo ||T4l and it is restricted to event-recording automata, i.e. ECA with history 
clocks only). 

In this paper, we revisit and extend the theory of ECA, with the hope to make it 
more practical and amenable to implementation. A widespread belief |3| about ECA 
and their analysis is that ECA are similar enough to timed automata that the classical 
techniques (such as regions, zones or DBMs) developed for them can readily be applied 
to ECA. The present research, however, highlights fundamental discrepancies between 
timed automata and ECA: 

1. First, we show that there is no finite time abstract language equivalence on the 
valuations of event clocks, whereas the region equivalence 12j is a finite time 
abstract language equivalence for timed automata. This implies, in particular, 
that regions do not form a finite time-abstract bisimulation for ECA , thereby 
contradicting a claim found in the original paper on ECA |3|. 

2. With timed automata, checking language emptiness can be done by building the 
so-called region automaton |2| which recognizes \Jnt\me{L{A)), the untimed 
version of A's timed language. A consequence of the surprising result of pointfl] 
is that, for some ECA A, the region automaton recognizes a strict subset of 
Untime(iy(A)). Thus, the region automaton (as defined in ||2l) is not a sound 
construction for checking language emptiness of ECA . We show however that 



a slight modification of the original definition (that we call the existential re- 
gion automaton) allows to recover Untime(L(yl)). Unlike the timed automata 
case, our proof cannot rely on bisimulation arguments, and requires original tech- 
niques. 

3. Efficient algorithms to analyze timed automata are best implemented using zones 
|[T], that are in turn represented by DBMs 1 10|. Unfortunately, zones and DBMs 
cannot be directly applied to ECA. Indeed, a zone is, roughly speaking, a con- 
junction of constraints of the form x — y < c, where x, y are clocks, -< is either 
< or < and c is an integer. This makes sense in the case of timed automata, since 
the difference of two clock values is an invariant with time elapsing. This is not 
the case when we consider event clocks, as, prophecy and history clocks evolve in 
opposite directions with time elapsing. Thus, we introduce the notions of event- 
zones and Event DBMs that can handle constraints of the form x -\- y < c, when 
X and y are of different types. 

4. In the case of timed automata two basic, zone-based algorithms for solving lan- 
guage emptiness have been studied: the forward analysis algorithm that itera- 
tively computes all the states reachable from the initial state, and the backward 
analysis algorithm that computes all the states that can reach an accepting state. 
While the former might not terminate in general, the latter is guaranteed to termi- 
nate yj. We show that this is not the case anymore with ECA: both algorithms 
might not terminate again because of event clocks evolving in opposite direc- 
tions. 

These observations reflect the structure of the paper. We close it by discussing the 
possibility to define widening operators, adapted from the closure by region, and the 
k-approximation that have been defined for timed automata |l6l. The hardest part of 
this future work will be to obtain a proof of correctness for these operators, since, here 
again, we will not be able to rely on bisimulation arguments. 



2 Preliminaries 

Words and timed words An alphabet S is a finite set of symbols. A (finite) word 
is a finite sequence w — WqWi- ■ -Wn of elements of E. We denote the length of w 
by \w\. We denote by E* the set of words over S. A timed word over E is a pair 
9 = (r, w) such that w is a word over E and r = tqTi ■ ■ ■ T|^,|_i is a word over M-° 
with Ti < Ti+i for all < i < |w| — 1. We denote by TE* the set of timed words over 
E. A (timed) language is a set of (timed) words. For a timed word 9 = (r, w), we let 
Untime(6') = w. For a timed language L, we let Untime(L) = {Untime(6') | 9 E L}. 

Event clocks Given an alphabet E, we define the set of associated event clocks Cs = 
He U Ps, where He = {1^ | cr e E} is the set of history clocks, and Ps = {x^ \ 
a G E} is the set of prophecy clocks. A valuation of a set of clocks is a function 
V : C — >^ M-*' U {-L}, where _L means that the clock value is undefined. We denote 
by V (C) the set of all valuations of the clocks in C. For a valuation v G V(C), for 



all X G Hs, we let (wi(x)) — \v{x)~\ — v{x) and for all x € Ps, we let {v{x)) = 
v{x) — lv{x)\, where [u(a;)J and [w(a;)] denote respectively the largest previous and 
smallest following integer. We also denote by v^ the valuation s.t. v^{x) = v{x) for 
all X e Hs, and v'^{x) = -v{x) for all x e Ps. 

For all valuation v e V (C) and all d e M-O s^-j^ ^j^^^ ^(-j,-) > ^ fg^ ^jj x eV^nC, 
we define the valuation v + d obtained from v by letting d time units elapse: for all 
X G He n C, (w + d)(x) = v{x) + d and for all x e Ps n C, (u + d)(x) = u(x) - d, 
with the convention that J- + d — J- — d — J-. A valuation is initial iff v{x) — _L for 
all X S He, andfinal iff u(x) = _L for all x e Ps- We note v[x :— c] the valuation that 
matches v on all its clocks except for v{x) that equals c. 

An atomic clock constraint over C C Cs is either true or of the form x ~ c, 
where x e C, c e N and ^ e {<, >, =}. A clock constraint over C is a Boolean 
combination of atomic clock constraints. We denote Constr (C) the set of all possible 
clock constraints over C. A valuation v E V (C) satisfies a clock constraint tp € 
Constr (C), denoted v \— tp according to the following rules: v ^ true, v 1= x ^ c iff 
v{x) ^ c, u 1= -^ip iff V ^ t/j, and w ^ Vi /\ V'2 iff v \~ ipi and v \— ip2- 

Event-clock automata An event-clock automaton A = {Q,qi,J^,6,a) (ECA for 
short) is a tuple, where Q is a finite set of locations, qi E Q is the initial location, 
E is an alphabet, S C Q x Y, x Constr (Ce) x Q is a finite set of edges, and a C Q is 
the set of accepting locations. We additionally require that, for each q E Q, <t £ J^, S is 
defined for a finite number of ?/; G Constr (Ce)- An extended state (or simply state) of 
an ECA A — {Q, qi, S, S, a) is a pair {q, v) where q G Q isa location, and v E V (Ce) 
is a valuation. 

Runs and accepted language The semantics of an ECA A = (Q, qi, S, S, a) is best 
described by an infinite transition system TSa = {Q^^ , Qf , ^ , ct^) , where Q^ = 
Q X V (Ce) is the set of extended states of A, Qf = {{qi,v) \ w is initial}, a"^ = 
{(Qtv) I Q '= a and w is final}. The transition relation -^ C Q-^ x R-^ x Q^ U 
Q'^ X E X Q-^ is s.t. (i) [{q,v),t, {q,v'))e -^ iff v' ^ v + t (we denote this by 

{q,v) -^ {q,v')), and (m) (^{q,v),a,{q' ,v')) G^ iff there is {q,(T,'ip,q') G S and 
V e V(Ce) s.t. w[xj := 0] = V, v[¥^ := 0] = v' and v \= ip (we denote this 

{q, v) — >■ (g', v')). We note ((7, f ) ---^ {q' , v') whenever there is {q" , v") s.t. {q, v) —>■ 
{q" , v") A- (g', v"). Intuitively, this means that an history clock x^ always records the 
time elapsed since the last occurrence of the corresponding a event, and that a prophecy 
clock Xcr always predicts the delay up to the next occurrence of a. Thus, when firing 
a cr-labeled transition, the guard must be tested against v (as defined above) because 
it correctly predicts the next occurrence of a and correctly records its last occurrence 
(unlike v and v' , as v{x„) = and w'(x^) ~ 0) 

A sequence (go, wo)(io, u'o)(gi, wi)(ii,';«i)(g2,i'2) • •• ((7„,i;„)isa {q,v)-run of A 
on the timed word 9 = (t, w) iff: (qo, vq) ~ (q, v), to = tq, for any 1 < i < n — I: 

U ^ Ti~ Ti_i, and for any < i < n - 1: {qi,Vi) -^^ (qi+i,Vi+i). A {q,v)-mn 
is initialized iff (g, v) G Qf (in this case, we simply call it a run). A {q, f )-run on 
9, ending in {qn, Vn) is accepting iff ((j„, w„) G a"^. In this case, we say that the run 



accepts 6. For an ECA A and an extended state (g, v) of A, we denote by L(A, [q, v)) 
the set of timed words accepted by a ((/, ti)-run of A, and by L{A) the set of timed 
words accepted by an initiaUzed run of A. 



3 Equivalence relations for event-clocks 

A classical technique to analyze timed transition systems is to define time abstract 
equivalence relations on the set of states, and to reason on the quotient transition sys- 
tem. In the case of timed automata, a fundamental concept is the region equivalence 
fl\, which is ?L finite time-abstract bisimulation, and allows to decide properties of 
timed automata such as reachability. Contrary to a widespread belief 13], we show 
that the class of ECA does not benefit of these properties, as ECA admit no finite 
time-abstract language equivalence. 

Time-abstract equivalence relations Let C be a class of ECA, all sharing the same 
alphabet E. We recall three equivalence notions on event clock valuations: 

• < C V (Cs) X V (Cs) is a time abstract simulation relation for the class C iff, 
for all A (z C, for all location q of A, for all (?;i, V2) e <, for all ii e M^", 
for all a e S: (<z, wi) > [q' ,v'i) implies that there exists i2 <= IR^" s.t. 

(9,^2) — -^ (^'i^y ^ri'i ^i ^ ^2- III this case, we say that V2 simulates vi. 
Finally, ~ C V(Cs) x V (Cs) is a time abstract simulation equivalence iff 
there exists a time abstract simulation relation < s.t. ~ = {(^1,^2) | ^'i ^ 
V2 and W2 ^ wi} 



• 



^ is a time abstract bisimulation equivalence for the class C iff it is a symmetric 
time abstract simulation for the class C. 



• «i C V (Cs) X V (Ce) is a n'me abstract language equivalence for the class C iff 
for all A GC, for all location g of A, for all (ui, W2) G ~l'- Unt\me{L{q, vij) = 
Untime(L((7, W2)) 

We say that an equivalence relation is finite iff it is of finite index. Clearly, any time 
abstract bisimulation is a time abstract simulation equivalence, and any time abstract 
simulation equivalence is a time abstract language equivalence. We prove the absence 
of finite time abstract language equivalence for ECA, thanks to Ajnf depicted in Fig.fTl 

Proposition 1. There is no finite time abstract language equivalence for ECA. 

Proof. Let us assume that w^ is a time abstract language equivalence on the class of 
ECA. We will show, thanks to A\n^, that w^ has necessarily infinitely many equivalence 
classes. 

For any n G N, let w" denote the initial valuation of C^a.b} s.t. u"(a?a) = n 
and?;" (a?!) = 0, and let 6*" denote the timed word (6,0) (6, 1)(6, 2) • • • (6, n- l)(a, n). 
Observe that, for any n > 0, there is only one run of ^inf starting in (go , ^'" ) and this run 
accepts 6*". Hence, for any n > 0; Untime(L(A, (go,w"))) = Untime({6l"}) = a"6. 




Figure 1 : The automaton Ajnf 

Now, let j/, fc be two natural values with j 7^ k. Let s^ = {qo,v^) and s*"' = {qo,v''). 
Clearly, v^ ^^ v^ since Untime(L(A, s-')) 7^ Untime(L(yljnf , s'^)). Since this is true 
for infinitely many pairs {v^,v''), w^ has necessarily an infinite number of equivalence 
classes. Thus, there is no finite time abstract language equivalence on the class of 

ECA. n 

Corollary 1. There is no finite time abstract language equivalence, no finite time ab- 
stract simulation equivalence and no finite time abstract bisimulation for ECA. 



4 Regions and event clocks 

For the class of timed automata, the region equivalence has been shown to be a. finite 
time-abstract bisimulation, which is used to build the so-called region automaton, a 
finite-state automaton recognizing Untime(L(A)) for all timed automata A J2|. Corol- 
lary [T] tells us that regions are not a time-abstract bisimulation for ECA (contrary to 
what was claimed in |3|). Let us show that we can nevertheless rely on the notion of 
region to build a finite automaton recognizing Untime(L(A)) for all ECA A. 

Regions Let us fix a set of clocks C C C^ and a constant cmax e N. We first 
recall two region equivalences from the literature. The former, denoted ~cmax, is the 
classical Alur-Dill region equivalence for timed automata \2\ while the latter (denoted 
J is adapted from Bouyer ||6| and refines the former: 



^ cmax' 



• For any wi, t;2 e V (C): vi ^cmax V2 iff: 

(CI) for all xe C,vi{x) =_Liffu2(2;) = _L, 

(C2) for all x £ C: either vi{x) > cmax and V2{x) > cmax, or [wi(a;)] = 
\v2{x)'] and [vi{x)\ = [■"2(2;)], 

(C3) for all a; 1, a; 2 G C s.t. i'i(a;i) < cmax and Wi(x2) < cm,ax: (ui(a;i)) < 
(wi(a;2)) if andonlyif (w2(a;i)) < {v2{x2)). 

• For all wi, z;2 e V (C): Vi -i^^^ V2 iff: Wi ^cmax V2 and: 



(C4) Foralla:i,X2 G C s.t. wi(xi) > cmax or vi{x2) > cmax: either we have 

|fi (xi) — «! {x2)\ > 2- cmax and |w2 (xi) — Wj (2:2) | > 2- cmax; or we 
have [wj'=(a;i)-wf (2:2)] = b^(2;i)-i^^(a:2)J and [i;f(xi )--(;]'= (0:2)] = 
\vf{xl)~v^{x2)^■ 

Equivalence classes of both ~cmax and ~cmax are called regions. We denote by 
Reg (C, cmax) and Reg (C, cmax) the set of regions of ~crnax and ~f,„Q^ respec- 
tively. Fig. [2] (a), (6) and (c) illustrate these two notions. Comparing (a) and (6) 
clearly shows how ^^max refines f^cmax by introducing diagonal constraints between 
clocks larger than cmax. Moreover, (c) shows why we need to rely on Vi and V2 in 
C4: in this case, C contains an history and a prophecy clock that evolve in opposite 
directions with time elapsing. Thus, their sum remains constant over time (hence the 
2 • cmax in C4). 

Observe that, for any cmax, and for any finite set of clocks C, Reg (C, cmax) and 
Reg (C, cmax) sue finite sets. A region r on set of clocks C is initial (resp. final) iff 
it contains only initial (final) valuations. 

Regions are not a language equivalence Since both notions of regions defined 
above are finite. Corollary [T] implies that they cannot form a language equivalence 
for EGA. Let us explain intuitively why it is not the case. Consider Reg (V^a,b}, l) 
and the two valuations vi and V2 in Fig. 121 (a). Clearly, vi can reach the region where 
Xa = 1 and Xb > I, while V2 cannot. Conversely, V2 can reach Xa > I and x^ = 1 
but V2 cannot. It is easy to build an EGA with cmax = 1 that distinguishes between 
those two cases and accepts different words. Then, consider Reg (P{a,f)}) l) and the 
valuations w'' and w^ (not shown in the figure) s.t. v'^Cxl) = v'^{xb) — 1, v^{xa) = 4 
and v^{xa) — 5. It is easy to see that for A\nf in Fig. fl] Untime(L(v4inf, {qo,v^))) = 
{bbba} 7^ {bbbba} = Untime(L(^inf, (goj''^^)))> although v^ and «■* belong to the 
same region. Indeed, from v^, the {q^, qq) loop can be fired 3 times before we reach 
Xa = 1 and the (go, qi) edge can be fired. However, the (go, Qo) loop has to be fired 4 
times from u^ before we reach Xq = 1 and the (go, qi) edge can be fired. Remark that 
these are essentially the same arguments as in the proof of Proposition [T] These two 
examples illustrate the issue with prophecy clocks and regions. Roughly speaking, to 
keep the set of regions finite, valuations where the clocks are too large (for instance, 
> cmax in the case of Reg (C, cmax)) belong to the same region. This is not a prob- 
lem for history clocks as an history clock larger than cmax remains over cmax with 
time elapsing. This is not the case for prophecy clocks whose values decrease with time 
elapsing: eventually, those clocks reach a value < cmax, but the region equivalence is 
too coarse to allow to predict the region they reach. 

Region automata Let us now consider the consequence of CorollaryfTlon the notion 
of region automaton. We first define two variants of the region automaton: 

Definition 1. Let A = {Q, qi, S, 6, a) and TZ be a set of regions on V (Cs). Then, the 
existential (resp. universal) 7?.-region automaton of A is the finite transition system 
RA{3, n, A) (resp. i?A(V, 7^, A)) defined by {Q" , Qf , E, 5^, a^) s.t.: 

1. Q'^ = Qxn 



(a) 



(b) 



1 • 



(c) 





n 



i^,4^; <^i /; 



V2 




2 • 



1 •, 




Figure 2: The sets of regions (a) Reg (Pj^ ;,}, l), (6) Reg (P{af,}il) and (c) 
Reg (C{q}, l). Dotted arrows show the trajectories followed by the valuations with 
time elapsing. Curved arrows are used to refer to selected regions. 



2. Qf^ — {{qi,r) \ r is an initial region} 

3. S^ C Q^ X E X Q^ is s.t. ((gi, ri), a, (52, ''2)) G S iff there exists a valuation 
(resp. for all valuations) vi e ri, there exists a time delay t G IR-'^ and a 

valuation V2 G ^2 s.t. {qi,Vi) ^— >■ (92, 1^2)- 

4. a^ ~ {{q, r) \ q E a and r is a final region} 

Let R = (Q^, Qf, S, 6^ , a^) be a region automaton and w be an (untimed) word 
over E. A run of R on w — wqWi . . .Wn is a finite sequence (go, ro){qi,ri) . . . 
((7„+i, r„+i) of states of R such that: (go, ''o) G Qf and such that: for all < i < n: 
((9i,r,j), Wj, (9i+i,ri+i)) e (5^. Such arun is flcce/?f/«^ iff (g„+i,r„+i) £ a''^ (in 
that case, we say that w is accepted by R). The language i(i?) of R is the set of all 
untimed words accepted by R. 

Let A be an EC A with alphabet E and maximal constant cmax. If we adapt and 
apply the notion of region automaton, as defined for timed automata 12J, to A we ob- 
tain RA{\/, Reg (Ce, cmax) , A). To alleviate notations, we denote it by RegAuty (A). 
In the rest of the paper, we also consider three other variants: (i) RegAuty (A) = 
i?A(V, Reg^ (Cs, cmax) , A), (ii) RegAutg {A) = RA{3, Reg (Cs, cmax) , A) and 
[iii) RegAutg (A) = RA{3, Reg (Cs, cmax) , A). Observe that, fortimed automata, 
all these automata coincide, and thus accept the untimed language (this can be proved 
by a bisimulation argument) |i2J. Let us see how these results adapt (or not) to EC A. 

Recognized language of universal region automata Let us show that, in general 
universal region automata do not recognize the untimed language of the ECA. 

Lemma 1. There is an ECA A such that L(RegAuty {A)) C Untime(L(A)) and such 
that L {Reg Aut^ (A)) C \Jnt\me{L{A)). 

Proof. Consider the automaton Ai^t in Fig. [l] with cmax = 1. Assume there is, in 
RegAuty (Ainf), and edge of the form ((go, r), b, (go, r')), where r is initial. By the 
guard of the (go, Qo) loop, r' is a region s.t. for all v £ r: v{xt,) = 1 and v{xa) > 1. 
To fire the (go, 9o) loop again, we need to let time elapse up to the point where Xf, — 0. 
Then consider two valuations v and v' s.t. v{xl) = v'{xb) — 1, v{xa) = LI and 
v'{xa) = 2.1. Clearly, {v, v'} C r'. However, firing the (go, go) loop from (go, v) leads 
to (go, w"), with v"{xa) = 0.1, and firing the same (go, go) loop from (go, v') leads to 
(go, v'") with v"'{xa) = 1.1. Thus, v" and v"' do not belong to the same region. Since 
we are considering a universal automaton, we conclude that there is no edge of the form 
((go, r'), b, (go, r")). Hence, RegAuty (Ajnf) cannot recognize an arbitrary number of 
6's from any of its initial states, and thus, L(RegAuty (^inf)) C Untime(i(ylinf)). 

For the second case, we consider Fig. l2](b) that depicts the projection of the set 
of regions used to build RegAuty (^inf) on the clocks {xa.Xb} (remark that we can 
restrict our reasoning to this projection, since the other clocks are never tested in A]nf). 
Assume there is, in RegAuty {A\„f), an edge of the form ((go, r),b, (go, r')) were r 
is initial. This implies that r' e {ri, . . . ,r^} (we refer to the names in Fig. [2]), be- 
cause of the guard of the (go, go) loop. Since Untime(i(yl.inf)) = {6"a \ n > 1}, it 
must be possible to accept an arbitrary number of 6's from one of the (go, r'). Let us 



show that it is not the case. From r^, and r^ we have edges ((^o, fz), b, {qo, ri)) and 
(go7 fi), b, {qo, r2)). However, there is no valuation v £ ri U r2 s.t. {v + t)(xl) = 
and {v + t){xa) > 1 for some t. Thus, there is, in RegAuty {A\nf), no edge of 
the form ({qo, r), b, {qo, r')) when r G ri, r2- Finally, there is no edge of the form 
{{qo, 'r^),b, {qo, r)j because some valuations of rs (such as vi) will reach r^ and some 
others (such as V2) will stay in rs after the firing of the loop. Since we consider a 
universal automaton, (go, f:-,) has no successor D 

Recognized language of existential region automata Fortunately, the definition of 
existential region automaton allows us to recover a finite transition system recognizing 
exactly Untime(L(^)), for all EC A A. Remark that our construction is direct, con- 
trary to the original construction |3| that consists in first translating the ECA into a 
non-deterministic timed automaton recognising the same timed language but with an 
increased number of clocks compared to the original ECA, and then computing the re- 
gion automaton of this timed automaton. Moreover, the proof we are about to present 
cannot invoke the fact that regions form a time-abstract bisimulation, as it is the case 
for timed automata, and we thus need to rely on different proof techniques. Actually, 
we will show that: 

Untime(i(^)) C L(RegAut| {A)) C L(RegAutg {A)) C Untime(i(A)) 

The two leftmost inequalities are easily established by the following reasonings. Let 

{qo,vo){to,wo){qi,vi) (ii, wi) ••• (?„,«„) be an accepting run of A on 9 = {t,w). 
Thus, 6 S L{A). For all < i < n let r^ be the (unique) region containing u,;. Then, 
by definition of RegAut^ {A), {qo, ro)wo{qi,ri)wi ■ ■ ■ (g„, r„) is an accepting run of 
RegAut| {A) onw = Untime(6'). Hence Unt\me{L{A)) C L(RegAut| {A)). Sec- 
ond, since f^i^^x refines ^cmax, each accepting run (go, ro)wo{qi,ri)wi ■ ■ ■ (g„, r„) 
in RegAutg {A) corresponds to an accepting run {qo,r'Q)'Wo{qi,r[)wi ■ ■ ■ (g„,r^) in 
RegAutg {A), where for any < i < n, r^ is the (unique) region of Reg (Cs, cmax) 
that contains n. Hence, L{RegAut^ {A)) C i(RegAutg {A)). 

To establish ^(RegAutg {A)) C \Jnt\me{L{A)) we need to rely on the notion of 
weak time successor. The set of weak time successors of w by t time units is: 



W+wt 



{x G Pe and v{x) > cmax^ implies v' {x) > cmax ~ t 
Va; : and 

{x ^ Pe oru(a;) < cmax orii(a::) — _L) implies v'{x) = {v + t){x) 



As can be seen, weak time successors introduce non-determinism on prophecy clocks 
that are larger than cmax. So, v +w i is a set of valuations. Let g be a location of 
an ECA. We write {q,v) ^^ (?, v') whenever v' E {v+„t). Then, a sequence 
{Qo,vo){to,Wo) {Qi^ vi){ti, wi){q2, V2) ■ ■ ■ (g,i,w„) is an initialized weak run, on 9 = 
{t,w), of an ECA A = {Q,qi,T,,5,a) iff go = qi, vo is initial, to = To, for any 
1 < z < n — 1: ti — Ti ~ Ti_i, and for any < i < n — 1: there is {q'ijv'j) s.t. 

(g^, Vi) ^w {q'i,Vi) -^ {qi+i,Vi+i). A weak run is accepting iff g„ e a and w„ is 
final. The weak language wL(^) of A is the set of all timed words 9 s.t. there is an 
accepting weak run on 9. Clearly, L{A) C vjL{A) as every run is also a weak run. 
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However, the converse also holds, since the non-determinism appears only on clocks 
larger than cmax, which the automaton cannot distinguish: 

Proposition 2. For any ECA A: L{A) = wl{A). 

Proof. Since, by definition, every run is a weak run, L{A) C wL{A). Let us show 
that L{A) 3 wL{A). Let 6 ~ (tq, wq) ■ ■ ■ {Tn, Wn) be a timed word in wL{A), and 
let {qo, vo) ^w {qo^v'a) ^ {qi,vi)--- (gr„+i, u„+i) be the corresponding accepting 
weak run of A. For any < i < n, we build Vi as follows. For any x s.t. x G Ps 
and v^{x) > cmax, let fc > i be the least position s.t. v'f^{x) < cmax. Remark that 
such a position always exists in an accepting run (recall that if a letter is never to be 
seen again, its valuation must be set to _L). Then, we let Vi{x) = v'i^{x) + J2j=i+i ^j- 
Otherwise, we let Vi{x) — v'i{x). Remark that v'l and Vi differ only on prophecy 
clocks larger than cmax, and that w^(x) > cmax iff ^^(a;) > cmax for any i and x. 
Moreover, the definition of the sequence of Vi clearly respects the definition of time 
successor. We further define Vi for all i as follows: Vi{x) = ti + Vi{x) for all a; € Ps 
s.t. Vi{x) > cmax and Vi{x) = Vi(x) otherwise. Hence, it can be checked that for all 

<i <n, {qi,Vi) -^ {qt,Vj) ^ {qi+i,Vi+i), and so that (go,wo) -^ (90,^0) ^ 

{qi,vi) -^ {qi,vi)---{qn+i,Vn+i). Moreover, '5„+i(x) = w„+i(a;) = _L for all 
X € Ps. Thus, e G L{A) and thus, L{A) 3 wL(A). 

n 

Then, we prove that weak time successors enjoy a property which is reminiscent of 
time abstract bisimulation. This allows to establish Theorem[Tl 

Lemma 2. Let C be a set of clocks and let cmax be a natural constant. For any 

Vi, t'2 G V (C) s.t. Vi ~cmax ^2. /c"" ciny ti G M-'', there exist ^2 and v' G (w2 +w ^2) 

s.t. Vi + h ^cmax v' . 

Proof. The cases where vi ^cmax fi + ti are trivial. We first restrict ourselves to the 
case where vi and vi + ti belong to adjacent regions, that is: 

VO < t' < t : wi + t' 
30 < t < ti : I and | (1) 

yt < t' < ti : vi + 1' 

Let us now show how to chose ^2- Let C" denote the set of clocks x s.t. {v{x)) = 0. 
Under the hypothesis dill, we have to consider two cases: 

L Either C'°^ = and C^^+t^ 7^ 0. In that case, let x be a clock in C°^+j^. We 
lett2 = (^2(2:)) 

2. Or C° 7^ and C° ^^ = 0. In that case, we need to consider two sub-cases. 
If there is x s.t. {v2{x)) 7^ 0, we let ^2 be a value s.t. < ^2 < min{(z;2(a;)) | 
{v2{x)) 7^ 0}. Otherwise, all the clocks in V2 have a null fractional part, and we 
can take any delay < 1 for t2'. we let ^2 — 0.1. 



11 




Now, let us show that there exists v G V2 +wt2 s.t. v ^cmax vi + ii- For that 
purpose, we first build a valuation v^ as follows. For any history clock x, we let 
v^{x) — V2{x). For all prophecy clocks x s.t. V2{x) < cmax, or V2{x) = _L, we 
let V3{x) — V2{x) too. For all prophecy clocks x s.t. V2{x) > cmax (and thus vi{x) > 
cmax since vi ^cmax ^2), we consider two cases. Either (f 1 + ti)(x) > cmax. In 
that case we let v^{x) = cmax + ^2 + 1- Or {vi + ti){x) — cmax. In that case we let 
V3{x) = cmax + ^2- Remark that the case {vi + ti)(x) < cmax is not possible since 
we have assumed that vi{x) > cmax and that vi and vi + ii are in adjacent regions. 

We now let v' — v^ + ^2- It is easy to check that v' ~cmax {vi + ti). Moreover, 
v' e {v2 +w ^2)^ since vy, has been obtained from V2 by replacing values larger than 
cm,ax by other values larger than cmax. 

To conclude, observe that if v^ E {v2 +wi2) and V2 G (fi +wti), then v^ € 
{vi +w(^i + ^2))- This allows to handle the case where vi and vi + ii are not in 
adjacent regions: by decomposing ti into a sequence t'i,t'2, ■ ■ ■ ,t'„ s.t. ti = t[ + t'2 + 
• • • + i^, and for all 1 < z < n, wi + J2]=i ^'j ^^^ ^1 + J2]=i ^'j ^^ ™ adjacent 
regions. Then, applying the reasoning above, we get a sequence t", . . . ,t'^ of time 
delays and a sequence v'q,v[, . . . jv'^ of valuations s.t. v'q = V2, for all < i < n, 
W-+1 e v'i+wt'i and v'i^^ ^cmax «! + Ejti^j- Thus, v'^ e t'2+wE"=i^j' ^"d 

V'„ ~cmax Vi + YJj = l ^'-j = «! + ^l- □ 

We can now prove that: 
Theorem 1. For any ECA A == (S, Q, q^, 5, a): i(RegAutg {A)) C Untime(i(A)). 

Proof. Let (goj^o) — ^ (^ii^i) — ^ ••• — ^^^^ (<Zni^n) be an accepting run of 
RegAutg {A). Let us build, inductively a sequence Iq, ti,. . . , t„_i of time delays and a 
sequence vq, vi,. ..,Vn of valuations s.t. Vi G r^ for all < i < 't^- This will allow us 
to obtain an accepting weak run of A. For the base case, we let iJo be a valuation from 

Vq and we let vi and Iq be s.t. vq °> vi with vi E ri. Such wi and tg are guaranteed 
to exist by definition of the region automaton, and since (goj ^0) — ^ (91, ''1) in this 
region automaton. For the inductive case, we consider i with 2 < i < n and assume 
that Vi-i has been defined and is in r^^i. Let us show how to build ti^i and Vi. Since 
Ti-i > Ti in the region automaton, there are Vi e r^, fi_i e r^-i, and U^i s.t. 



Wi-l 



we know that 



> Wj_i + ti_i — ^-^ Vi. Let c denote the value fi(a;^._ J. Since 



'^i-l 



+ tj_i !► Vi (2) 



(wi_i + ti-i)[x^^_j := c] 1= V (3) 

where i/i is the guard of the edge responsible for Ui^i + i^-i > Vi and that 

Wi = (wj-i +tj-i)[a;«,i_i :=c,i^^_j := 0]. (4) 

Next, we let w^_j^ be a valuation and ti-i be a time delay s.t. v[_^ G Wi-i +w ij-i 
and 

«i_l ~cmax {Vt-l +ii-l). (5) 
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Such v'^_i and ti^i are guaranteed to exist by Lemma pj Wi_i G r,;_i by induction 
hypothesis and Vi^i e r^-i by construction, hence Vi-i ^cmax Vi^i. Then, we let 

:, k^, ■■= 0] (6) 



i-lL-^ii'i-i 



Let us check that v[_^ ^^ u^. By pb, w^_]^ and Vi-i + i^^i are equivalent. Hence, 
v'i_-i{xw._\ := c] f=icmax {V'i.-i + ^i- ij [x^^ := c]. Thus, by ([s]), Uj'_i[a^^^ := 
c] ^ V'^ and the same transition can be fired from v[_^, leading to vi, by (|6]l. Finally, 
by Q, (|6| and (|5]), we deduce that Vi ~cmax Vi e r^, hence w^ e r^. 

By construction, (<?o,^o) °> ((?i,wi) S • • • (g„, w„) is an accepting weak 

run of A on 6* with Untime(6') = tu. Thus, wL(RegAutg [A)) C Untime(L(^)). Since 
wL(RegAutg {A)) = L(RegAutg (A)), by Proposition |2] we have L(RegAut3 (A)) C 
Untime(i(A)). D 

Size of the existential region automaton The number of Alur-Dill regions on n 

clocks and with maximal constant cmax is at most R{n, cmax) ~ n\ y. 2" x (2 x 
cmax + 2)" |2|. Adapting this result to take into account the _L value, we have: 
|Reg (Cs, cmaa;) | < R{2 x |S|, cmax + 1). Hence, the number of locations of 
RegAutg {A) for an ECA A with m locations and alphabet E is at most m x i?(2 x 
|E|, cmax + 1). In |l3], a technique is given to obtain a finite automaton recogniz- 
ing Untime(L(A)) for all ECA A: first transform A into a non-deterministic timed 
automaton pij A' s.t. L{A') — L{A), then compute the region automaton of A' . 
However, building A' incurs a blow up in the number of clocks and locations, and 
the size of the region automaton of A' is at most m x 2^ x R{K, cmax) where 
K = Qx\I]\x{ cmax + 2) is an upper bound on the number of atomic clock constraints 
in A. Our construction thus yields a smaller automaton. 



5 Zones and event-clocks 

In the setting of timed automata, the zone datastructure flOl has been introduced as 
an effective way to improve the running time and memory consumption of on-the- 
fly algorithms for checking emptiness. In this section, we adapt this notion to the 
framework of ECA, and discuss forward and backward analysis algorithms. Roughly 
speaking, a zone is a symbolic representation for a set of clock valuations that are 
defined by constraints of the form x — y -< c, where x, y are clocks, -< is either < or 
<, and c is an integer constant. Keeping the difference between clock values makes 
sense in the setting of timed automata as all the clocks have always real values and 
the difference between two clock values is an invariant over the elapsing of time. To 
adapt the notion of zone to ECA, we need to overcome two difficulties. First, prophecy 
and history clocks evolve in different directions with time elapsing. Hence, it is not 
always the case that if v{x) ~ v{y) = c then {v + t){x) — {v + t){y) — c for all t (for 
instance if x is a prophecy clocks and y an history clock). However, the sum of clocks 
of different types is now an invariant, so event clock zones must be definable, either by 
constraints of the form x — y -< c, if x and y are both history or both prophecy clocks, 
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or by constraints of the form x + y ^ c otherwise. Second, clocks can now take the 
special value _L. Formally, we introduce the notion of event-zone as follows. 

Definition 2. For a set C of clocks over an alphabet E, an event-zone is a subset 
of V (C) that is defined by a conjunction of constraints of the form x = _L; a; ~ c; 

Xi ~ X2 ^ c if Xi, X2 G Hj] or Xi, 2:2 G Ps; and Xi + X2 ^ c if either Xi € Hj] and 
X2 G Ps or Xi G Ps and X2 G Hj], with x, Xi, X2 G C, ^ G {<, >, <, >} and c G Z. 



Event-clock Difference Bound Matrices In the context of timed automata. Differ- 
ence Bound Matrices (DBMs for short) have been introduced to represent and manipu- 
late zones ifSl lTOll . Let us now adapt DBMs to event clocks. In order to adapt DBMs to 
event-zones, we need to be able to (j) encode contraints of the form x + y ^ c and of 
the form x' — y' < c, depending on the types of .t, y, x' and j/', (ii) encode constraints 
of the form a; = _L, and [iii) encode the fact that a variable is not constrained by the 
zone. Indeed, in a DBM, this is encoded by the pair of constraints a; > and x < +00. 
This is not sound in our case since < a; < +00 implies that a; 7^ _L. Thus, we 
introduce a special symbol ? to denote the absence of constraint. 

Formally, an EDBM M of the set of clocks C = {xi, . . . ,x„} is a (n + 1) square 
matrix of elements from (Zx{<, <})u{(oo, <), (-L,=), (?,=)} s.t. for all < i,j,< 
n: rriij — (_L, —) implies i = or j = (i.e., _L can only appear in the first position 
of a row or column). Thus, a constraint of the form Xi = 1. will be encoded with either 
rriix) = (-L, =) or iriQi = (_L, =). As in the case of DBMs, we assume that the extra 
clock a;o is always equal to zero. Moreover, since prophecy clocks decrease with time 
evolving, they are encoded by their opposite value in the matrix. Hence the EDBM 
naturally encodes sums of variables when the two clocks are of different types. Each 
element {niij, ^ij) of the matrix thus represents either the constraint Xi — Xj -<ij rriij 
or the constraint xi + Xj -<ij rriij, depending on the type of x.^ and Xj. Finally, the 
special symbol ? encodes the fact that the variable is not constrained (it can take any 
real value, or the _L value). Formally, an EDBM M on set of clocks C — {xi , . . . , a;„} 
represents the zone |M] on set of clocks C s.t. v G |A/] iff for all < i, j < n: if 
Mij = (c, -<) with c 7^ ? then ^^(a;.;) — v^{xj) -< c (assuming v^{xq) denotes the 
value and assuming that for all k G ZU{_L}: _L + A: = _L — fc = fc + _L = fc — _L = _L). 
When |M] = 0, we say that M is empty. In the sequel, we also rely on the < ordering 
on EDBM elements. We let (m; ^) < {m'; ^') iff one of the following holds: either 
(i) m! = ?; or (ii) rn, m' G Z U {00} and m < m'; or {iii) m — m' and either ^=^' 
or ^'=<. 

As an example, consider the two following EDBMs that both represent a;i = _L A 
< X3 — a;4 < 1 A a:2 + 2^4 < 2 (where xi, X2 are prophecy clocks, and x^, X4 are 
history clocks): 

(±,^) (?,^) (?,=) (?,=)\ 

(?,=) (?,=) (?,=) (?,^) 

(?,=) (0,<) (?,-) (?,=) 

(?,=) (?,=) (0,<) (1,<) 

(?,=) (2,<) (o,<) (o,<)y 



/(0,<) 


a,=) 


(0,<) 


('? — "1 


[■ T—) 


V(?,=) 
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/(o,<) a, 


=) 


(oo,<) 


(0,<) 


(0,<)\ 


a,=) (?, 


=) 


(?,=) 


(?,=) 


(?,=) 


(0,<) (?, 


=) 


(o,<) 


(0,<) 


(0,<) 


(oo,<) (?, 


=) 


{^,<) 


(0,<) 


(1,<) 


^(oo,<) (?, 


=) 


(2,<) 


(0,<) 


(0,<)/ 



Normal form EDBMs As in the case of DBMs, we define a normal form for EDBM, 
and show how to turn any EDBM M into a normal form EDBM M' s.t. |Af] = [M'J. 
A non-empty EDBM M is in normal form iff the following holds: {i) for all 1 < i < n: 
M,,o = (±, =) iff Mo,, = (±, =) and A/,,o - (?, =) iff Mo,, = (?, =), {ii) for all 
1 < « < n: Mj,o e {(J-, =), (?, =)} implies A/,j = Af,,, = (?, =) for all 1 < j < n, 
{in) for all 1 < i,j < n : M,,, = (?, =) iff either Mi,o € {(?,=), (-L, =)} or 
Mj,Q G {(?, =), (_L, =)} and [iv] the matrix M' is a normal form DBM 1 10|, where 
Af' is obtained by projecting away all lines 1 < i < ns.t. A/^ o ^ {(?7 =); (-L, =)} and 
all columns \ < j <n s.t. A/qj- G {(?, =), (-L, =)} from M. To canonically represent 
the empty zone, we select a particular EDBM A/0 s.t. |Af0] = 0. For example, the 
latter EDBM of the above example is in normal form. 

Then, given an EDBM Af, Algorithm [T] allows to compute a normal form EDBM 
M' s.t. |A'/] = |A/']. This algorithm rehes on the function DBMNormalise {M,S), 
whereAf isan(£+l)x(£ + l)EDBM, and5C {0,...,^}. DBMNormalise (M,S) 
applies the classical normalisation algorithm for DBMs 1 10| on the DBM obtained by 
projecting away from M all the lines and columns i ^ S. Algorithm [T] proceeds in 
three steps. In the first loop, we look for lines (resp. columns) i s.t. Mi,o (resp. Afo,i) 
is (_L, =), meaning that there is a constraint imposing that Xi = _L. In this case, the 
corresponding Mn.i (resp. Af j 0) must be equal to (_L, —) too, and all the other elements 
in the ith line and column must contain (?, =). If we find a j s.t. Mij 7^ (?, =) or 
Mj,i y^ (?, =), then the zone is empty, and we return AI0. Then, in the second loop, 
the algorithm looks for lines (resp. columns) i with the first element equal to (?, =) 
but containing a constraint of the form (c, ^), which imposes that the variable i must 
be different from _L. We record this information by replacing the (?, — ) in Af^ (resp. 
Mo,i) by the weakest possible constraint that forces Xi to have a value different from _L. 
This is either (0, <) or (00, <), depending on the type of Xi and is taken care by the 
SetCst function. At this point the set S contains the indices of all variables that 
are constrained to be real. The algorithm finishes by calling the normalisation function 
for DBMs. Remark, in particular, that the algorithm returns Af0 iff Af is empty which 
also provides us with a test for EDBM emptiness. 

Proposition 3. For all EDBM M, EDBMNormalise (Af ) returns a normal form 
EDBM M' s.t. |Af'] = |Afl. 



Operations on zones The four basic operations we need to perform on event-zones 
are: {i) future of an event-zone Z : Z = {v e V(Cs) \ 3v' e Z,t e M-° : v = 
v' + 1}; (m) past of an event-zone Z : Z = {v e V(Cs) | 3t e R^° : v + t e Z}; 
(Hi) intersection of two event-zones Z and Z'; and (iv) release of a clock x in Z: 
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1 EDBMNormalise (M) begin 



2 
3 
4 

5 

6 

7 

8 

9 

10 

11 



Let S* = {0} ; 

foreach 1 <i<ns.t. M,^o ^ (_L, =) or M^j = {±, =) do 

if 31 <j<n s.t. Mj.j ^ (?, =) or Mj,i ^ (?, =) then return Mg 

M,,o ^ (±, =) ; Mo,i ^ (±, =) ; 

foreach < i, j < n s.t. M, j i {(?, =), (-L, =)} do 

foreach i,j e 5 do SetCst (Mi^) ; 
M' <- DBMNormalise (M.S*) ; 
if M' = Empty then return M^ ; 
return M' ; 



12 SetCst {Mi,j) begin 

13 if Mi J = (?,=) then 

14 if Xi e Ps anc/ fxj G Hs or Xj = xa) then M^j- ^— (0, <) ; 

15 else Mij ^— (oo, <) ; 

Algorithm 1: A normalisation algorithm for EDBMs. 

reU(Z) = {v[x := d] \v e Z,de M-" U {-L}}. Moreover, we also need to be able to 
test for inclusion of two zones encoded as EDBMs. Let M, Mi and M2 be EDBMs in 
normal form, on n clocks. Then: 

Future If M = M0, we let M ^ M0. Otherwise, we let M be s.t.: 

_^ r(0,<) ifM,, ^{(±, =),(?,=)}, J ^Oandx.ePs 

^^,j = <(oo,<) ifM,, ^{(±, =),(?,=)}, j = Oanda;,e Hs 
I Mi J otherwise 

Past If M = M0, we let & = M0. Otherwise, we let & be s.t. for all i, j: 

r(^, <) if M,, i {(±, =), (?,=)}, z = and Xj € Ps 
^«j = <(0,<) ifM,, ^{(±, =),(?,=)}, z = Oandx,e Hs 
[Mi J otherwise 

Intersection We consider several cases. If M^ — M0 or M^ = M0, we let M^ n 

M^ == M0. If there are <i,j <n s.t. M^^ ^ Mf^ and Mf^- ^ M^^, we let 
M^ n M^ = M0 too. Otherwise, we let M^ n M^ be the EDBM M' s.t for all 

i,j:Ml^^rmn{Ml^,Mlj). 

Release Let x be an event clock. In the case where M = M0, we let rela;(M) — M0. 
Otherwise, we let reU(M) be the EDBM s.t. for all i,j: 

i Mij ifxi^xandxjy^x 
re\x[M)i j — ■!'■' 

1 (?, —) otherwise 
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Inclusion We note M^ C M^ iff M,\ < M? . for a\lO <i,j <n. 



Proposition 4. Lef M, M^, M^ /je EDBMs in normal fonn, on set of clocks C. Then, 

fell, [iii) [[MiRM^]] = [[Ml]] n [[M2]], {iv) 
[reU(M)l flnJ(w) [[M^]] C [[M^]] iJAfi C M^. 



(z) [Ml = 



(zz) IMI = 



for all clock x (z C, re\x 

Proof. 1. In the case where M = M0 the proof is trivial. Otherwise, M is non- 
empty, since it is in normal form. We assume that M is an EDBM on set of 
clocks C — {xi, . . . , Xn}, that for all < i,j < n: Mij = {rriij, -<i,j) and 
that M = (to^ j,^i j)- It is easy to see that any v e \M\ satisfies the constraints 



of 



M 



Thus, |Ml C 



Consider now a valuation v e 



We need to find a delay t E M-" such 

that there exists vm G {Mj such that vm + t = v. This amounts to solving the 
following system of inequalities: 

-niio — v{xi) -<io t <oi moi — v{xi) for all Xi e¥^nC such that moi ^ {-L, ?} 
v{xi) — rriio -<io t -<oi v{xi) + nioi for all Xi eMsilC such that nioi ^ {_L, ?} 
,0 <t 

with the convention that 00+c = 00— c = 00 and that — 00+c = — 00— c = —00 
for all c € N. We show that the set of solutions is not empty, i.e. that all 
inequalities are pairwise coherent. 

Since for all Xi € PsflC, (tiqjj^qj) — (moi, ^oi)' we know that w(xi) -<oi rriQi 
and since for all Xi e Hs n C {itiq^, ^qJ = (moi, -<oi) , we also know that 
— moi ^oi v(xi). Then, none of the inequalities forces t to be negative. 

Let now Xi, Xj be two prophecy clocks s.t. ?7io,i ^ {-L, ?} and m-o.j ^ {-L, ?}■ 
For all VM e |M], -rriiQ ^^ VM{xi) ^oi moi, and -Wjo ^jo vm{xj) ^qj 
rrioj, then — mio — "t-oj ^1 VM^Xi) ~ vm{xj) ^2 iTT-oi + fnjo, where ^i=< 
iff -<io=< and -<oj=< -<2=< iff ^oi—^ and -<jo=<- Since M is in normal 
form, (rriji, ^ji) < {moi+mjQ, ^2) and (toj^, -<jj) < (mio + moj, -<i). Since 



("^i,, ^i,) = (w,j, ^*j) and (to'-^, ^'-J = (m^ 



j«' J*' 



), we deduce that —rriio 



TT^Oj ^1 i'(a;i) — ^{xj) ^2 "^oi + "m-jo- Hence, — ttijo — i'(xi) ^1 toqj — ^(xj) 
and —mjo — v{xj) <2 'moi ~ v{xi). Then the constraints on t deduced from xi 
and Xj are coherent. With the same arguments, we obtain that the constraints on 
t deduced from Xi , Xj E Hs n C are coherent too. 

Consider now 2;^ e Ps n C and Xj E Hs n C. Then again, since any valuation 
Vm in lAf] satisfies —rriiQ — mQj ^1 VM{xi) + vm{xj) -<i niQi + rrijQ, so does 
V, and one can deduce that — m^o — v{xi) ^1 v{xj) + moj and v{xj) — rrijo ^2 
iT^oi — vixi) and hence that the constraints on t derived from Xi E P^ O C and 
Xj E Hs n C are coherent. 

Then, the set of solutions of the inequalities is not empty. Let t be such a solution. 

We let Vm be the valuation s.t. vm{x) = v{x) + t for any x E Pj: O C and 
vm{x) = v{x) — t for all x E Hs n C. Such a valuation exists, and is in 
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(denoted v 


= M.,, = ( 


■m 


',i' ^j,i 


(a) 


either 


TTii.j —1 






(b) 


or « = 


and WLi^j 


= 


w(a;j) = 


(c) 


orj = 


and mi J 


= 


w(x,) 



by construction. Then, since v = vm + 1 with vm € {Mj and some t € M-" we 
deduce that v e |M]. We conclude that Af C |M]. 

2. As prophecy and history clocks evolve in opposite directions, the arguments of 
the proof for M can be adapted. 

3. In the case where M^ — M0 or M^ = M0 the proof is trivial. Otherwise, 
M^ and M^ are non-empty, since they are in normal form. First consider the 
case where there are < i,j < n s.t. M^^ ^ Mfj and Mfj ^ Mlj. By 
definition of <, this implies that either Ml, or M? is equal to (_L, =), and that 
the other constraint is of the form (^, m), with m G K-° U {00}. Then, clearly 
[[Afi]] n [[m2]] = and thus [[M^]] n [[M^]] = [M^l = [[M^ f] M^]]. 

Thus, let us assume that for all < i,j < n, min{M/ , Mf } is defined. Let 
f be a valuations on the set of clocks C ~ {xi, . . . , x„}, let M be an EDBM 
on C. Then for all < i,j < n, we say that v satisfies Mi j — {mi j,^i j) 

,))iff: 



_L 



(d) or rriij <^ {?, _L} and \xi\ — \xj\ <i,j mi,j, assuming ± + c = c + _L = 
_L — c = c— _L==_L for all c. 

Then, clearly, (Mj ^ {v \yO < i, j < n : v ^ Mi^^}. 

Then observe that, by definition of the ordering < on EDBM constraints: 

(i; 1= (toi,-<i) andt; 1= (to2,-<2)) iff v \= min {{mi, ^i), (1712,^2)} 
By definition of M^ M^, we conclude that [[M^]] n [[M^]] = [[M^ M^]] . 

4. In the case where M ~ M^ the proof is trivial. Otherwise, M is non-empty, 
since it is in normal form. Let us assume that x is the clock of index k in C. We 
first examine the case where Mko — (?, —), then re\x{M) — M since M is in 
normal form. Since x is already unconstrained in M, we have reU ( [M] ) — |M] . 

Hence reU(|M]) ^ {Mj - [reU(M)]. 

Otherwise, let us assume that C — {xi, . . . , a;„} and that for all < i,j < n: 
Mij = {mij, <ij). Let v e re^dM]). Then there is some w' € |M], such that 
v'{y) — v{y), for all clock y ^ x in C. Since v' satisfies all the constraints of 
M, V satisfies all the constraints of |M| related to clocks different from x, and 

hence v e IreU(M)l. Thus, reU(|M]) C lre\x{M)\. 

Conversely, let v <E |rel2;(M)]. We consider two cases. Either M^o = (-L, =)■ 
We let u' be the valuation s.t. v'{x) ~ _Landforally 7^ x: v'{y) ~ v{y). Clearly 
v' S |M] since M is non-empty and in normal form. Hence, v G rela,|M]. 
Otherwise M^o — {m, ~<) with m e M-° U {00}, since we have already ruled 
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out the case Mko = (?, =). We let v' be a valuation that is a solution of the 
following set of inequalities if x is an history clock: 

v'{y) = v{y) for all 2/ 7^ a: 

—rrijk -<jk v'{x) — v'{xj) ^kj ^Tikj for all Xj G (Hs C\C)\ {x} 
—rrijk ^jk v'{x) + v'{xj) ^kj ^Tikj for all Xj G (Ps H C) \ {x} 

or a solution of the following set of inequahties if x is a prophecy clock: 

v'{y) = v{y) for all 2/ 7^ a; 

-Wfej ^fcj w'(a:^) - v'{xj) <jk mjk for all Xj £ (Ps n C) \ {x} 
—nijk ^jk v'{x) + v'{xj) ^kj TTT'kj for all Xj e (Hs n C) \ {x} 

assuming as usual that _L + c = c + _L = _L — c = c — _L = _L. 

Since M is in normal form, such a v' exists (otherwise, some of the constraints 
could be strengthened without modifying the zone, and M is not in normal form), 
and it is in {M\. Hence v is in relj.(|il/]). We conclude that |rel^(M)] C 
rel.(IMl). 

5. The proof stems from the fact that [[Af ^j] C [[M^]] iff [[M^]] n [[M^]] = 
[[Afi]] iff [[AfiRM^]] = [[Afi]] iff, Tam{Mlj,Ml^) = M^j for all < 
hj < n (by Proposition 41. 

D 

Forward and backward analysis We present now the forward and backward analy- 
sis algorithms adapted to ECA. From now on, we consider an EC A A = {Q,qi,^,S,a). 

We also let Post{{q,v)) = {{q',v') \ 3t,a : {q,v) ^ iq',v')} and Pre{{q,v)) = 

{{q',v') \ 3t,a : {q',v') ^->- {q,v)} and we extend those operators to sets of states 
in the natural way. Moreover, given a set of valuations Z and a location q, we abuse 
notations and denote by {q, Z) the set {{q, v) \ v G Z}. Also, we let Post* ((q, Z)) = 
U„gN P°st" (((7, Z)) and Pre* ((q, Z)) = U„gN Pi-e" ((?, Z)), where Post° {{q, Z)) = 
(g, Z) and Post" ((g, Z)) ^ Post (Post""^ ((g, Z))), and similarly for Pre" {{q, Z)). 
The Post and Pre operators are sufficient to solve language emptiness for ECA: 

Lemma 3 (adapted from |[3|, Lemma 1). Let A = {Q,qi,Y.,S,a) be an ECA, let 

I = {{qi^v) \ V is initial}, and leta — {{q,v) \ q G a and v is final}. Then: 
Post* (/) n a 7^ #Pre* {a)CM^0 iff MA) ^ 0. 

Let us show how to compute these operators on event-zones. Given a location q, an 
event-zone Z on Cs, and an edge e — {q, a, ip, q') E S, we let: 



PosU{{qi,Z)) 
Pree((gi,^)) 



■ (g', (rel^ (relj^(^ n (^ = 0)) n ^)) n (fc = 0)) if gi = g 
otherwise 

(g, (relj^ (rel^ (Z n (fe = 0)) n V)) n (St = 0)) if gi = g' 



otherwise 
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ForwExact begin 

Let Visited =0 ; Let Wait = {{qi,Zo)} ; 
while Wait ^ do 

Get and remove {q, Z) from Wait ; 
itq£a and Z C Zf tlien return Yes ; 
it there is no {q, Z') € Visiteds.t. Z <Z Z' then 
Visited := Visited U {(q,Z)} ; 
Wait := Wait U Post ((q, Z)) ; 

return No ; 



9 BackExact begin 



10 

11 

12 
13 
14 
IS 
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Let visited = ; Let Wait = {{q, Zf) \ q e a} ; 
while Wait ^ do 

Get and remove (q, Z) from Wait ; 
iiq — qi and Z <Z Z^) then return Yes ; 
it there is no {q, Z') G Visiteds.t. Z (Z Z' then 
Visited := VisitedU {(q,Z)} ; 
Wait := Wait U Pre {{q, Z)) ; 

return No ; 

Algorithm 2: The forward and backward algorithms 




a 

a / N aJb = 1 
go ) ^i^ — >4 91 .^( g2 



Figure 3: An EC A for which backward analysis does not terminate. 



Then, it is easy to check that Post ((g, Z)) = Ueg^-Poste ((q, Z)) and Pre ((g, Z)) = 
Ueg^Pree ((<7, Z)). With the algorithms on EDBMs presented above, these definitions 
can be used to compute the Pre and Post of zones using their EDBM encodings. Re- 
mark that Pre and Post return sets of event-zones as these are not closed under union. 
Let us now consider the ForwExact and BackExact algorithms to test for language 
emptiness of ECA, shown in Algorithmic] In these two algorithms Zq denotes the zone 
AxGH 2; = _L containing all the possible initial valuations and Zf denotes the zone 
AxGP X — ^ representing all the possible final valuations. By Lemma Isl it is clear 
that ForwExact and BackExact are correct when they terminate. Unfortunately, Fig.|3] 
shows an ECA on which the backward algorithm does not terminate. Since history and 
prophecy clocks are symmetrical, this example can be adapted to define an ECA on 
which the forward algorithm does not terminate either. Remark that in the case of timed 
automata, the forward analysis is not guaranteed to terminate, whereas the backward 
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1 • 



(a) 



■ ClosmeniZ) \ Z 
--^\Z 



(b) 







Figure 4: Examples for Closure^ and Approxj. 



analysis always terminates (the proof relies on a bisimulation argument) |[T]. 

Proposition 5. Neither ForwExact nor BackExact terminate in general. 

Proof. We give the proof for BackExact, a similar proof for ForwExact can then be 
deduced by symmetry. Consider the ECA in Fig. [3] Running the backward analysis 
algorithm from {q2, Zf), we obtain, after selecting the transition e — {q2, 6, true, (72), 
the zone Zi — Xa — -L Axi, = 0. Then, the transition e' = {qi,a,xij = 1,(72) is 
back-firable and we attain the zone Z2=Xa>0Axb>lAxb — Xa = l.At this 
point the transition e" ~ (qi, a, 5?^ = 1, gi) is back-Arable, which leads to the zone 
Z3 = Xb>lAxt>0A0<'^<lAxl-xt,>lAxt + tc^>2.The back-firing 
of the e" transition can be repeated, and, by induction, after n iterations of the loop, 
the algorithm reaches the zone Z" = xl >nAxa>OAO<x^ < 1 Axl — Xa > 

is always fulfilled, and 



n A Xb +x^ > 



1. Thus, the condition of the if in line 
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the algorithm visits an infinite number of zones, without reaching qq. 



D 



6 Future work: widening operators 

As said earlier, the zone-based forward analysis algorithm does not terminate either 
in the case of timed automata. To recover termination, widening operators have been 
defined. The most popular widening operator is the so-called fc-approximation on zones 
fSl. Roughly speaking, it is defined as follows: in the definition of the zone, replace 
any constraint of the form Xi -< c or Xi — Xj -< c, by respectively Xi < 00 and 
Xi — Xj < 00 if and only if c > fc, and replace any constraint of the form c -< xi or 
c < Xi — Xj, by respectively k < Xi and k < Xi — Xj, if and only if c > fc. Such an 
operator can be easily computed on DBMs, and is a standard operation implemented 
in several tools such as as UppAal H for more more than 15 years. Nevertheless, this 
operator has been widely discussed in the recent literature since Bouyer has pointed out 
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several flaws in the proposed proofs of soundness 0. Actuafly, the fc-approximation 
is sound when the timed automaton contains no diagonal constraints. Unfortunately, 
/c-approximation is not sound when the timed automaton contains diagonal constraints, 
and no sound widening operator exists in this case. 

In [6|, Bouyer identifies some subclasses of timed automata for which the widening 
operator is provably correct. The idea of the proof relies mainly on the definition of 
another widening operator, called the closure by regions, which is shown to be sound. 
The closure by regions of a zone Z, with respect to a set of regions TZ is defined as 
the smallest set of regions from TZ that have a non-empty intersection with Z, i.e. 
Closure7^(.Z) = {r G TZ \ Z D r ^ 0}. Then, the proof concludes by showing that 
Approxj.(Z) is sound for some values of k (that are proved to exist) s.t. 

Z C ApproXfc(Z) C ClosureK(Z). (7) 

In the perspective of bringing EC A from theory to implementation, provably correct 
widening operators are necessary, since neither the forward nor the backward algorithm 
terminate in general. We plan to adapt the /c-approximation to ECA, and we believe 
that we can follow the general idea of the proof in 161 . However, the proof techniques 
will not be applicable in a straightforward way, for several reasons. First, the proof 
of ID relies on the following property, which holds in the case of timed automata: for 
all zone Z and all location q: Post {{q, Closure7j(Z))) C ClosureK(Post {{q, Z))). 
Unfortunately this is not the case in general with ECA. Indeed, consider the zone Z and 

the region r in Fig.kl(a). Clearly, r is included in C\osurefi{Z) but r is not included in 
Closure^ ( ^ ) (recall that prophecy clocks decrease with time elapsing). Moreover, the 
definition of the k approximation will need to be adapted to the case of ECA. Indeed, 
the second inclusion in (|7]i does not hold when using the fc-approximation defined for 
timed automata, which merely replaces all constants > fc by oo in the constraints of 
the zone. Indeed, consider the event-zone Z defined by 3^ + x^ < 2 in Fig. H(b), 
together with the set of regions TZ — Reg (Cjaj, l). Clearly, with such a definition, 
the constraint x^ + Xa < 2 would be replaced by 3?^ + a?Q < oo, which yields an 
approximation that intersects with r, and is thus not contained in ClosurcK(Z). We 
keep open for future works the definition of a provably correct adaptation of the fc- 
approximation for ECA. 
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